Don't Set The CISO Up To Fail

More healthcare organizations are hiring CISOs -- a good thing. But bad management structure, insufficient resources, and poor understanding of risks often doom these newly appointed security executives.

My 2013 national survey of healthcare organizations discovered that about half the CIOs in healthcare report to CFOs and other executives, and not the CEO. This structure is dangerous for both the organization and the CIO for several reasons.

First, the CIO's pay is reduced -- at least a full grade level lower -- than it should be. Second, the CIO cannot participate in organizational strategy meetings because of rank.

Most important, the CFO and other executives run IT and cyber security strategy, instead of the CIO. IT department pay, including that of the chief information security officer (CISO), is lowered, making it challenging for the healthcare organization to acquire and retain top talent. Finally, the CIO becomes an ideal whipping post for any failures, but other executives are well protected, even though they make the final decisions.

With the fall of Target's CEO, things appear to be improving. At every conference I attended recently I learned that CEOs and boards are now very engaged in cyber security discussions. Many are scrambling to hire their first CISOs. Because healthcare organizations' security lags behind retailers, it's even more critical for the nation's hospitals, clinics, and practices to recognize the value CIOs and CISOs deliver.

My survey also found many healthcare organizations pay insufficient attention to cyber security: In fact, 21% do not plan to have a CISO in the near future.

(Source: Impact of Security Culture on Security Compliance in Healthcare in the USA by Mansur Hasib, 2013)

The new breed of healthcare CIOs will have to include a strong cyber security strategy in their IT strategy, which in turn will drive the strategy for the entire organization because IT is the life blood of most organizations today. Some of these CIOs could come from the ranks of today's highly qualified and strategic CISOs -- people who understand business risks, can tailor strategy to mission, have continually learned (by earning appropriate advanced degrees and certifications), and have demonstrated cyber security leadership.

Although I am glad CEOs and boards are waking up and realizing the importance of cyber security strategy, a few observations concern me. Some CEOs and boards are engaging their IT and cyber security staff to "make sure this does not happen to us" -- without really understanding what cyber security or cyber security leadership is. Some departments are getting their cyber security budget doubled -- without even asking. Yet these organizations remain focused on a compliance culture that is expensive, tactical, and regressive. In addition, despite serious shortcomings, some organizations are even embracing the new NIST Cybersecurity Framework as a badge of honor and adopting it as an auditing standard.

However, any organization that spends money on cyber security as a separate component of the IT budget is approaching it wrong. Cyber security must be baked into the entire IT strategy.

During my 30 years of managing IT and my 12 years as a CIO in healthcare, biotechnology, and education, I never spent on cyber security as a separate component. I always focused my IT strategy on the organization's mission. I always implemented systems and technology with the goals of maximizing confidentiality, integrity, and availability, using a balanced mix of technology, policy, and people while perennially improving over time.

I used a risk balancing (of both positive and negative risks) approach to prioritize spending, frequently using a multi-year transparent vision. I empowered and trained all the people in my organization, ensuring they could use technology to make themselves more productive and innovative. I implemented a governance framework that encouraged teamwork, fun, transparency, continual learning, and a virtuous culture of innovation and safety. This is what modern cyber security is and what a cyber security culture can achieve.

Pursuing compliance is like planting annual flowers. They look great for a short while. Then they die and get more expensive each year. Compliance in technology and policy does not govern behavior of people; culture does. We should invest in a cyber security culture and gain the benefit of perennial flowers. They improve in quality, abundance, and size each year and you can even divide them and spread them around your garden. It is time for cyber security leadership.

Here's a step-by-step plan to mesh IT goals with business and customer objectives and, critically, measure your initiatives to ensure that the business is successful. Get the How To Tie Tech Innovation To Business Strategy report today (registration required).

Dr. Mansur Hasib is the only cybersecurity professional in the world with 12 years' experience as CIO; a Doctor of Science (DSc) in Cybersecurity; CISSP (cybersecurity); PMP (project management), and CPHIMS (healthcare) certifications, who has written two books on the ... View Full Bio

@Sunita - good point. The CISO role is greatly misunderstood in healthcare. People and even some healthcare CIOs in organizations where most of the IT work is outsourced do not understand the role of the CISO. In one such organization where they were paying the CIO in the 700K range wanted to hire a CISO at the 140K range. Even the reporting relationships did not make sense.

@Alison: I second that. Security is indeed part of your organization?s culture and should always be valued first. Even the higher tier officials like CEO and CFO should always be informed about the working security of the company, no matter how little it is.

Cyber Security Most organizations rely on a third party company for their cyber security. Some companies invest little budget for their cyber security and do not keep track of it. Most of the upper level engineers working in a specific department are not knocked every time someone hits a dead end in cyber security. This enlarges the problem, since if senior engineers don?t know what kind of security they?ll be getting, they would continue their work on that specific software, compromising the database.

In one way, it's encouraging to learn that more healthcare organizations recognize they must hire a c-level executive to oversee security, realizing security responsibility is more than the CIO can take on. On the other hand, your points about management structure resonate -- and I would imagine many CIOs and CISOs who find themselves in the position you describe (where they report to the CFO or other non-CEO exec) are nodding their heads in frustration and agreement with your points about salary, responsibility, and the burdens they face.

The best organizations in any vertical appear to have realized that security extends far beyond technologies and processes; rather, security is part of their culture and as the leader of all facets of security, the CISO is a key part of the organization's leadership team. S/he is integral to pretty much every aspect of that organization's future growth, measuring risk vs reward, and cannot be seen as lesser to the CFO or any other c-level exec.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.